ChatGPT
Claude
Perplexity
Gemini
GrokHow long can a Canadian school legally keep prospect data?
Under PIPEDA's Principle 5 — limiting retention — personal information must be retained only as long as necessary to fulfil the purposes for which it was collected, and then either destroyed, erased, or made anonymous. The Office of the Privacy Commissioner of Canada (OPC) recommends no more than 3 years from the last active contact as the outer limit for prospect marketing records at private higher education institutions. Beyond that threshold, no legitimate recruitment purpose can sustain continued retention.
This is not a theoretical concern. Canadian universities and colleges — from OUAC-linked Ontario institutions to Quebec CEGEPs feeding into university admission — accumulate prospect data across CRMs, chatbots, open house registration tools, and email nurture platforms. Most have no automated purging in place. Understanding the specific obligations under PIPEDA, Quebec's Loi 25, CASL, and provincial frameworks is the starting point for defensible privacy compliance in any admissions operation.
For the full framework governing prospect data in Canadian higher education, see our complete guide to student data protection.
The Canadian privacy framework: three overlapping layers
Unlike the EU's unified GDPR, Canada operates through overlapping federal and provincial legislation. Admissions and marketing teams must understand which layers apply — and where they interact.
PIPEDA: the federal baseline
The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organisations that collect, use, or disclose personal information in the course of commercial activities. For private universities, career colleges, and institutions engaged in marketing and recruitment, PIPEDA sets the national floor. It is built on 10 fair information principles, with accountability, consent, and limiting retention at the core.
PIPEDA does not prescribe fixed retention periods. Instead, Principle 5 establishes that information must not be retained longer than necessary. In practice, the OPC's guidance fills the gap: 3 years from last active contact is the outer limit the OPC considers defensible for marketing and prospecting data.
Quebec's Loi 25: the strictest standard in Canada
Quebec's Loi modernisant des dispositions législatives en matière de protection des renseignements personnels (Loi 25) came into full force in September 2024. It introduces explicit obligations on retention: personal information must be destroyed once the purposes of collection are achieved. The law requires a documented retention schedule, a designated privacy officer, and privacy impact assessments for new information systems. Any institution recruiting Quebec prospects — regardless of its own province — must be able to meet Loi 25 requirements. Penalties reach up to $25 million CAD or 4% of worldwide turnover.
CASL: the consent and timing layer
The Canadian Anti-Spam Legislation (CASL) governs commercial electronic messages independently of PIPEDA. It creates a retention-adjacent obligation: implied consent from a prospect inquiry expires after 6 months if no commercial relationship is established. After that window closes, continued email marketing requires express consent. CASL also requires that express consent records be retained for as long as they may be relevant — effectively for the duration of the marketing relationship and the applicable limitation period.
Provincial frameworks: PIPA in Alberta and British Columbia
Alberta's and BC's Personal Information Protection Acts (PIPA) are provincially specific frameworks deemed "substantially similar" to PIPEDA. Institutions operating primarily in these provinces follow PIPA for intra-provincial activities. The retention principle is identical: personal information must not be kept beyond its stated purpose.
Retention periods by data category: the reference table
The following periods reflect OPC guidance and established practice for Canadian schools and universities. They represent the maximum defensible period, not a target. Where your institution has a shorter legitimate purpose, adopt the shorter period.
| Data category | Retention period | Starting point | Legal basis / source |
|---|---|---|---|
| Prospect contact data (non-converted) | 3 years | Last active contact | OPC retention guidance / PIPEDA Principle 5 |
| Chatbot conversation logs (identified prospect) | 3 years | Last active contact | Part of the prospect retention record |
| Open house / education fair registration | 3 years (if no conversion) | Last active contact | OPC direct marketing guidance |
| Application data — unsuccessful candidate | 2 years | Rejection decision date | Limitation periods / OPC guidance |
| Application data — withdrawn by candidate | 2 years | Withdrawal date | OPC guidance |
| Enrolled student administrative file | 5 years | End of studies | Institutional records standards |
| Financial / accounting records | 10 years | End of financial year | Provincial accounting statutes |
| Card payment data | 13–18 months | Transaction date | PCI DSS / chargeback period |
| Website analytics / cookies | 13 months | Cookie placement | OPC cookie guidance |
| CASL express consent records | Duration of relationship + limitation period | Consent event | CASL s. 13 |
Two points require emphasis. First, the 3-year period for prospect contact data runs from the last active contact — not from the date of initial collection. A chatbot re-engagement, an open house registration, or a replied email resets the clock. Second, chatbot conversation logs linked to an identified prospect form part of that prospect's overall record and follow the same 3-year outer limit.
The three-phase retention lifecycle
Phase 1 — Active retention
During active retention, the data is operationally accessible to admissions and marketing teams. A prospect who submitted an enquiry form is in active retention from the date of collection. The clock runs from the last meaningful engagement — a chatbot interaction, a form submission, an event attendance, or a replied nurture email.
For most prospects who do not convert, active retention should extend no more than 12–18 months from last contact, after which the study intent is most likely abandoned. The 3-year outer limit is not a licence to retain passively — it is the maximum window within which reactivation is conceivably justified.
Phase 2 — Intermediate archiving
Intermediate archiving covers the period between the end of operational use and final deletion. In this phase, data is not accessible to day-to-day admissions activity but is retained for specific justified purposes: potential complaints, regulatory audits, or limitation period protection. Access is restricted and documented.
For unsuccessful application data, this phase covers the 2-year window during which an admissions dispute could be raised. For pure prospect data, intermediate archiving is rarely needed — the 3-year outer limit encompasses the full cycle.
Phase 3 — Deletion or anonymisation
At the end of the retention period, personal information must be securely destroyed, erased, or rendered anonymous. Under Loi 25, destruction must follow a documented process, and a destruction certificate should be retained. Anonymised data — where re-identification is genuinely impossible — falls outside the personal information definition and may be retained as aggregate analytics. Pseudonymised data remains personal information.
Automated purging configured in your CRM and email platform is the most reliable mechanism. Manual deletion processes across multiple systems are error-prone and create accountability gaps that the OPC can identify in an audit.
PIPEDA accountability: documenting your retention periods
PIPEDA's accountability principle (Principle 1) requires that the organisation be able to demonstrate compliance. This means retention periods must be documented — in a privacy policy, an information management policy, or a record of processing activities — and those documented periods must reflect actual practice.
Under Loi 25, institutions must maintain a privacy governance framework that includes explicit retention schedules. The Commission d'accès à l'information du Québec (CAI) can audit this framework during an investigation. For institutions applying to OUAC or working with provincial application centres, documented data governance is increasingly expected.
The chatbot and AI dimension
72% of prospect questions to school chatbots are simple FAQ queries that can be automated; only 7% require human escalation (Source: Skolbot AI chatbot analysis, 2025; source_ref: content/zpd-bank.json#question-complexity-distribution). The majority of chatbot interactions generate conversation logs without complex personal disclosures — but those logs still constitute personal information when linked to an identified or identifiable individual.
Three rules govern chatbot-generated prospect data under PIPEDA:
Transparent collection notice: before a prospect provides personal information to a chatbot, PIPEDA requires that they be informed of the purposes of collection. A simple opening message explaining that the conversation is recorded and will be used for recruitment purposes satisfies this requirement.
Automatic redaction of sensitive disclosures: prospects routinely share disability status, financial situation, or health conditions in chatbot conversations. These disclosures should trigger automatic redaction or anonymisation at 30 days — well before the 3-year outer limit for the underlying prospect record.
Cross-system deletion at the retention boundary: when a prospect's record is purged from the CRM, the corresponding chatbot conversation logs must be deleted simultaneously. The chatbot vendor's data processing agreement must confirm per-individual deletion capability. For a detailed treatment of the deletion process, see our guide on handling erasure requests for Canadian schools.
CASL compliance: the retention-adjacent obligation
CASL creates a parallel retention obligation that many institutions miss. Express consent records — the documentation proving that a prospect gave opt-in consent for commercial electronic messages — must be retained for as long as they may be relevant to a potential CASL complaint. In practice, this means retaining the consent record for at least the duration of the marketing relationship plus the applicable limitation period (2 years in most provinces under the Limitations Act, 2002, or equivalent).
Implied consent from a prospect enquiry expires after 6 months if no commercial relationship is established. Your CRM must track the date of inquiry and suppress further commercial emails once that window closes — unless express consent has been collected. This expiry tracking is a distinct retention obligation separate from the 3-year PIPEDA limit.
Common retention failures at Canadian institutions
Failure 1 — The education fair spreadsheet. Prospect contacts collected at a OUAC fair or provincial open house event are exported to Excel, emailed to marketing, and loaded into the CRM without a documented consent record or privacy notice. Multiple PIPEDA and CASL obligations are breached in a single workflow.
Failure 2 — The legacy CRM. Prospect records from 2022 and 2023 remain active in the database, receiving nurture emails. Depending on the last-contact date, many of these records are beyond the 3-year OPC limit.
Failure 3 — Undocumented retention schedules. A retention policy exists in the institutional privacy policy but is not configured in the CRM's purging settings and has never been communicated to the admissions team. The accountability principle requires alignment between documented policy and operational reality.
Failure 4 — CASL implied consent overhang. Prospects who submitted an enquiry 9 months ago, with no subsequent engagement, continue to receive promotional emails. The 6-month CASL implied consent window has expired; continued commercial messaging requires express consent that was never obtained.
Failure 5 — Cookie data beyond 13 months. Analytics and advertising pixels retained beyond the OPC's guidance, because the consent management platform was configured at launch and never reviewed. For a comprehensive treatment of this area, see our cookie consent guide for Canadian schools.
Deletion checklist for Canadian admissions teams
- Retention periods are documented for every processing activity involving prospect data
- CRM is configured with automated purging at the stated retention limit for each category
- Email subscriber lists are synchronised with CRM purging: deleted prospect records are unsubscribed simultaneously
- Chatbot platform: confirmed with vendor that conversation logs can be deleted per individual prospect
- Open house and education fair attendance records: reviewed and purged at 3 years from the event (if no conversion)
- Application data for unsuccessful candidates: deleted 2 years after the rejection decision
- Cookie consent records and analytics data: reviewed at 13 months
- Financial records: retained for 10 years (provincial accounting statutes)
- CASL implied consent expiry (6 months from inquiry): tracked and enforced in the CRM
- CASL express consent records: retained for duration of relationship plus limitation period
- Staff are aware of the retention schedule and do not maintain shadow Excel copies
- A process exists to restart the retention clock when a prospect actively re-engages
- Loi 25 destruction certificate process is documented (for Quebec-recruiting institutions)
For a broader end-to-end compliance framework, see our guide on protecting prospect data in Canadian higher education.
Discover how Canadian universities improve student recruitmentFAQ
What is the standard retention period for prospect data at Canadian schools?
The OPC's retention guidance establishes 3 years from the last active contact as the outer limit for prospect and marketing data under PIPEDA. This is a ceiling, not a floor — if a prospect clearly has no ongoing interest, shorter retention is more defensible. The 3-year clock resets each time the prospect actively engages (a chatbot session, a form submission, an event attendance, or a replied email).
Does opening a marketing email reset the PIPEDA retention clock?
Opening an email is passive behaviour and does not clearly constitute active re-engagement. A reply, a form submission, an open house registration, or a chatbot interaction — actions requiring affirmative steps from the prospect — are the appropriate triggers for restarting the retention period. This distinction is especially important for CASL compliance, where the implied consent window is narrower than the PIPEDA retention limit.
Must retention periods appear in the privacy notice?
Yes. PIPEDA's openness principle requires that privacy policies be publicly available and specify, at a minimum, the types of personal information collected and the purposes of use. Under Loi 25, the privacy policy must explicitly state the retention period for each category of personal information. A notice that says only "we keep data as long as necessary" without criteria does not meet either standard.
Can a Canadian school keep prospect data indefinitely if the prospect never unsubscribes?
No. PIPEDA's limiting retention principle applies regardless of whether the prospect has exercised any rights. Under CASL, the implied consent window has a fixed 6-month expiry. Under Loi 25, retention beyond the purpose is explicitly prohibited. The institution must apply its own documented retention policy proactively — the absence of an unsubscribe request is not a lawful basis for indefinite retention.
What are the OPC's enforcement powers for retention failures?
Under the current PIPEDA framework, the OPC can investigate complaints, make findings, and recommend corrective measures. While PIPEDA currently lacks direct order-making or penalty powers at the federal level, OPC findings carry significant reputational weight, and violations can be referred to Federal Court for enforcement. Under Quebec's Loi 25, the CAI can impose administrative monetary penalties of up to $25 million CAD or 4% of worldwide turnover — the most significant enforcement risk for institutions with Quebec recruitment activity.
